Traditionally, authentication to a web service is accessed through a web portal. Commonly, the portal is accessed through the user directing a web browser to a web portal via a Uniform Resource Locator (URL), which is a representation of the web portal address, usually in a more human readable form.
Authentication for the web portal usually takes the approach of requiring the user to input a unique combination of a username and a password that identifies and authenticates that specific user. The web portal usually prompts the user for submission of these credentials in a web-based form. The web-based forms present themselves in the form of standards-based web browser renderable code. The credentials are usually input into the web browser, utilizing special policy requirements that determine the number and type of characters required within the password to access that web service. Longer alphanumeric character string passwords usually provide stronger defense against brute force computational attacks.
Existing credential manager software typically allows a user to register credentials for logging into a web site with the credential manager. Upon accessing the relevant web page, the credential manager injects the credentials into the web authentication form, using an application programming interface (API) and software development kit (SDK) tools provided by the browser. The injection is typically done by means of a content script, typically JavaScript code, that is injected into the web page by the credential manager browser extension. The content script runs in the user's browser, and fills in the web form, including possibly automatically submitting the form back to the web site for completing the login.
Past attempts to harden security have included implementing “zero knowledge” encryption schemes. “Zero knowledge” indicates that the encryption and decryption is based upon information that only the authenticating user knows, thereby preventing the credential manager or the entity supplying the credential manager from having access to the credentials. Zero knowledge schemes typically involve an encryption key that is held separately by the authenticating user, or derived from information held separately by the authenticating user, allowing the credential manager to store the encrypted credentials, with none of the information required to decrypt them.
However, when the user loses or forgets the encryption key, all access to the encrypted credentials is lost, because neither the user nor the credential manager has sufficient information to decrypt the encrypted credentials.